Does shuffle() produce uniform result ?

[Paul Rubin]

Antoon Pardon <apardon at forel.vub.ac.be> writes:
> > No the idea is that once there's enough entropy in the pool to make
> > one encryption key (say 128 bits), the output of /dev/urandom is
> > computationally indistinguishable from random output no matter how
> > much data you read from it.
> 
> If you were talking about /dev/random I would agree. But this is what
> the man page on my system says about /dev/urandom. ...
>        the returned values are theoretically vulnerable to a
>        cryptographic attack on the algorithms used by the driver.

Right.  The idea is that those attacks don't exist and therefore the
output is computationally indistinguishable from random.  Of course
whether the idea is correct, an unproven conjecture, but it looks
pretty good; certainly finding any problem with the specific
algorithms in urandom would be a significant research discovery and
not likely to affect the application being discussed.  Finding a
general attack that couldn't be fixed with some simple tweak would be
a major crypto breakthrough that would probably reshape a lot of
complexity theory.  This is unlike the situation with Mersenne
Twister, which was not designed for indistinguishability against an
opponent who knew what to look for.

In short, using /dev/random is fairly silly once you know there's
enough entropy in the randomness pool to make a good key.  If
/dev/urandom's algorithms are broken then whatever you're doing with
the /dev/random output is probably also broken.